…downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.
Given that more than 45 percent of internet users do not use the latest web browser version, according to Google research, it would seem that there is a big need for this.
"Our philosophy is users shouldn't have to care," Fette said. "Everything should keep working for them."
When Chrome first launched in September, it had two exploitable vulnerabilities. Google released patches for them within 24 hours, Fette said.
"End users don't know whether to refuse or accept software updates. Chrome just forces them on people," Hoffman said. "It's a good example of not letting users make poor security choices."
Nevertheless, some want the choice. For IT administrators wanting to control software updates themselves, Google recently added options to allow enterprises to customise when and how they get Chrome updates, Fette said.
Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm website, HP's Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to IE or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he added.
Tricking the user
According to experts, Chrome does a great job of protecting against exploits of vulnerabilities where attackers sneak code through a hole in the browser to install malware or run code on the computer. However, it is not so good when it comes to protecting them against web-based attacks such as cross-site scripting, cross-site forgery, SQL injections and phishing, in which an attacker tricks users into doing something they did not intend to via the browser.
"One thing Google needs to work on… is user security," said Wood.
Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on websites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that allows users to choose which scripts on a site they want to run or block. However, this is likely to change.
"We are in the middle of building our own browser extension system so that something like NoScript could be done," Fette said. "For many people, it's a noisy option. It asks a lot of questions and if you're not focused on security, it could be hard to make it work."
IE8 offers a cross-site scripting defence mechanism that protects users against those type of attacks, Wood said.
Google is evaluating cross-site scripting protections, but Fette said, "You have to make sure it's based on standards and won't break sites."
IE also lets users turn off JavaScript. Chrome does not, although it does sandbox JavaScript. Fette said: "If you turn off JavaScript, you may turn off navigation on a bank site" — or otherwise render a site unusable. "It's not an option we feel is viable, so we don't offer it."
Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, Fette added. "Sandbox is not a panacea."
The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for "promiscuous web surfing" and Firefox with the NoScript plug-in for important activities, such as checking email or online banking.
Fette said because each Chrome tab is a separate process, the system has the same protection as using two different browsers.
Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.
"There is no real security with password management. You can open it up and see all the passwords in clear text," he said. "A browser needs a good password manager. People can't remember all the passwords for all the sites [they use] on the internet."
In response, Fette said someone with access to a computer can do plenty of damage already — for example installing a key logger to monitor what the user types.
"Chrome came out and lit a fire under Firefox and IE. It's driven a lot of innovation and a lot of that has been in security and general usability," said Wood. "We're moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the web."
